Bug 1543457 (CVE-2018-6791)

Summary: CVE-2018-6791 kde-runtime: Arbitrary command execution in the removable device notifier
Product: [Other] Security Response Reporter: Adam Mariš <amaris>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jgrulich, kde-sig, me, rdieter, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: plasma-workspace 5.8.9, plasma-workspace 5.12.0 Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-04-30 06:19:30 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1543471    
Bug Blocks: 1543469    

Description Adam Mariš 2018-02-08 13:45:22 UTC 
An issue was discovered in soliduiserver/deviceserviceaction.cpp in KDE Plasma Workspace before 5.12.0. When a vfat thumbdrive that contains `` or $() in its volume label is plugged in and mounted through the device notifier, it's interpreted as a shell command, leading to a possibility of arbitrary command execution. An example of an offending volume label is "$(touch b)" -- this will create a file called b in the home folder.

External References:

https://www.kde.org/info/security/advisory-20180208-2.txt
Comment 1 Adam Mariš 2018-02-08 14:09:16 UTC 
Created plasma-workspace tracking bugs for this issue:

Affects: fedora-all [bug 1543471]
Comment 2 Tomas Hoger 2018-03-08 20:47:33 UTC 
Upstream commits:

Plasma 5.8:
https://commits.kde.org/plasma-workspace/9db872df82c258315c6ebad800af59e81ffb9212

Plasma 5.9/5.10/5.11:
https://commits.kde.org/plasma-workspace/f32002ce50edc3891f1fa41173132c820b917d57
Comment 3 Stefan Cornelius 2018-04-30 06:19:41 UTC 
Statement:

This issue did not affect the versions of kdebase-runtime as shipped with Red Hat Enterprise Linux 6. This issue did not affect the versions of kde-runtime as shipped with Red Hat Enterprise Linux 7.